[ 44.468440] audit: type=1800 audit(1555422361.416:27): pid=5283 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [ 44.487955] audit: type=1800 audit(1555422361.416:28): pid=5283 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 45.313264] audit: type=1800 audit(1555422362.306:29): pid=5283 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 45.332728] audit: type=1800 audit(1555422362.306:30): pid=5283 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.182' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 55.848045] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 56.087986] usb 1-1: Using ep0 maxpacket: 8 [ 56.208018] usb 1-1: config 0 has an invalid interface number: 28 but max is 0 [ 56.215531] usb 1-1: config 0 has no interface number 0 [ 56.221052] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=74.f9 [ 56.229474] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 56.238621] usb 1-1: config 0 descriptor?? [ 56.478183] ================================================================== [ 56.485777] BUG: KASAN: use-after-free in ds_probe+0x604/0x760 [ 56.491755] Read of size 1 at addr ffff88821b13c202 by task kworker/0:2/532 [ 56.498836] [ 56.500458] CPU: 0 PID: 532 Comm: kworker/0:2 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 [ 56.508510] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.517892] Workqueue: usb_hub_wq hub_event [ 56.522206] Call Trace: [ 56.524809] dump_stack+0xe8/0x16e [ 56.528339] ? ds_probe+0x604/0x760 [ 56.532045] ? ds_probe+0x604/0x760 [ 56.535656] print_address_description+0x6c/0x236 [ 56.540636] ? ds_probe+0x604/0x760 [ 56.544247] ? ds_probe+0x604/0x760 [ 56.547858] kasan_report.cold+0x1a/0x3c [ 56.551914] ? ds_probe+0x604/0x760 [ 56.555525] ds_probe+0x604/0x760 [ 56.558995] usb_probe_interface+0x31d/0x820 [ 56.563392] ? usb_probe_device+0x150/0x150 [ 56.567711] really_probe+0x2da/0xb10 [ 56.571498] driver_probe_device+0x21d/0x350 [ 56.575910] __device_attach_driver+0x1d8/0x290 [ 56.580573] ? driver_allows_async_probing+0x160/0x160 [ 56.585837] bus_for_each_drv+0x163/0x1e0 [ 56.589971] ? bus_rescan_devices+0x30/0x30 [ 56.594275] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 56.599367] ? lockdep_hardirqs_on+0x37e/0x580 [ 56.603949] __device_attach+0x223/0x3a0 [ 56.607998] ? device_bind_driver+0xe0/0xe0 [ 56.612322] ? kobject_uevent_env+0x295/0x13d0 [ 56.616888] bus_probe_device+0x1f1/0x2a0 [ 56.621038] ? blocking_notifier_call_chain+0x59/0xb0 [ 56.626214] device_add+0xad2/0x16e0 [ 56.629914] ? get_device_parent.isra.0+0x560/0x560 [ 56.634929] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 56.640041] usb_set_configuration+0xdf7/0x1740 [ 56.644703] generic_probe+0xa2/0xda [ 56.648405] usb_probe_device+0xc0/0x150 [ 56.652466] ? usb_suspend+0x5f0/0x5f0 [ 56.656355] really_probe+0x2da/0xb10 [ 56.660142] driver_probe_device+0x21d/0x350 [ 56.664544] __device_attach_driver+0x1d8/0x290 [ 56.669197] ? driver_allows_async_probing+0x160/0x160 [ 56.674459] bus_for_each_drv+0x163/0x1e0 [ 56.678601] ? bus_rescan_devices+0x30/0x30 [ 56.682919] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 56.688018] ? lockdep_hardirqs_on+0x37e/0x580 [ 56.692595] __device_attach+0x223/0x3a0 [ 56.696641] ? device_bind_driver+0xe0/0xe0 [ 56.700964] ? kobject_uevent_env+0x295/0x13d0 [ 56.705535] bus_probe_device+0x1f1/0x2a0 [ 56.709685] ? blocking_notifier_call_chain+0x59/0xb0 [ 56.714877] device_add+0xad2/0x16e0 [ 56.718610] ? get_device_parent.isra.0+0x560/0x560 [ 56.723701] usb_new_device.cold+0x537/0xccf [ 56.728103] hub_event+0x138e/0x3b00 [ 56.731810] ? hub_port_debounce+0x350/0x350 [ 56.736212] ? _raw_spin_unlock_irq+0x29/0x40 [ 56.740699] process_one_work+0x90f/0x1580 [ 56.744921] ? wq_pool_ids_show+0x300/0x300 [ 56.749235] ? do_raw_spin_lock+0x11f/0x290 [ 56.753552] worker_thread+0x9b/0xe20 [ 56.757347] ? process_one_work+0x1580/0x1580 [ 56.761919] kthread+0x313/0x420 [ 56.765269] ? kthread_park+0x1a0/0x1a0 [ 56.769251] ret_from_fork+0x3a/0x50 [ 56.773206] [ 56.774820] Allocated by task 5429: [ 56.778463] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 56.783379] ext4_readdir+0x1bee/0x2d10 [ 56.787338] iterate_dir+0x481/0x5e0 [ 56.791036] __x64_sys_getdents+0x1e2/0x370 [ 56.795345] do_syscall_64+0xcf/0x4f0 [ 56.799151] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.804342] [ 56.805969] Freed by task 5429: [ 56.809244] __kasan_slab_free+0x130/0x180 [ 56.813471] slab_free_freelist_hook+0x5e/0x140 [ 56.818125] kfree+0xce/0x290 [ 56.821236] ext4_release_dir+0x4e/0x60 [ 56.825195] __fput+0x2df/0x8c0 [ 56.828461] task_work_run+0x149/0x1c0 [ 56.832680] exit_to_usermode_loop+0x243/0x270 [ 56.837263] do_syscall_64+0x40c/0x4f0 [ 56.841159] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.846333] [ 56.847958] The buggy address belongs to the object at ffff88821b13c1e0 [ 56.847958] which belongs to the cache kmalloc-64 of size 64 [ 56.860432] The buggy address is located 34 bytes inside of [ 56.860432] 64-byte region [ffff88821b13c1e0, ffff88821b13c220) [ 56.872124] The buggy address belongs to the page: [ 56.877057] page:ffffea00086c4f00 count:1 mapcount:0 mapping:ffff88812c3f5600 index:0x0 [ 56.885200] flags: 0x57ff00000000200(slab) [ 56.889423] raw: 057ff00000000200 dead000000000100 dead000000000200 ffff88812c3f5600 [ 56.897298] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000 [ 56.905182] page dumped because: kasan: bad access detected [ 56.910875] [ 56.912485] Memory state around the buggy address: [ 56.917408] ffff88821b13c100: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 56.924750] ffff88821b13c180: 00 00 00 00 00 00 fc fc fc fc fc fc fb fb fb fb [ 56.932099] >ffff88821b13c200: fb fb fb fb fc fc fc fc 00 00 00 00 00 00 00 00 [ 56.944044] ^ [ 56.947393] ffff88821b13c280: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 56.954730] ffff88821b13c300: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00 [ 56.962232] ================================================================== [ 56.969572] Disabling lock debugging due to kernel taint [ 56.975431] Kernel panic - not syncing: panic_on_warn set ... [ 56.981335] CPU: 0 PID: 532 Comm: kworker/0:2 Tainted: G B 5.1.0-rc4-319354-g9a33b36 #3 [ 56.990775] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.000142] Workqueue: usb_hub_wq hub_event [ 57.004478] Call Trace: [ 57.007085] dump_stack+0xe8/0x16e [ 57.010634] panic+0x29d/0x5f2 [ 57.013829] ? __warn_printk+0xf8/0xf8 [ 57.017725] ? retint_kernel+0x10/0x10 [ 57.021619] ? trace_hardirqs_on+0x55/0x1c0 [ 57.025940] ? ds_probe+0x604/0x760 [ 57.029581] end_report+0x48/0x4e [ 57.033036] ? ds_probe+0x604/0x760 [ 57.036656] kasan_report.cold+0xd/0x3c [ 57.040630] ? ds_probe+0x604/0x760 [ 57.044252] ds_probe+0x604/0x760 [ 57.047703] usb_probe_interface+0x31d/0x820 [ 57.052191] ? usb_probe_device+0x150/0x150 [ 57.056513] really_probe+0x2da/0xb10 [ 57.060309] driver_probe_device+0x21d/0x350 [ 57.064713] __device_attach_driver+0x1d8/0x290 [ 57.069375] ? driver_allows_async_probing+0x160/0x160 [ 57.074650] bus_for_each_drv+0x163/0x1e0 [ 57.078796] ? bus_rescan_devices+0x30/0x30 [ 57.083130] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 57.088410] ? lockdep_hardirqs_on+0x37e/0x580 [ 57.092995] __device_attach+0x223/0x3a0 [ 57.097068] ? device_bind_driver+0xe0/0xe0 [ 57.101399] ? kobject_uevent_env+0x295/0x13d0 [ 57.105982] bus_probe_device+0x1f1/0x2a0 [ 57.110149] ? blocking_notifier_call_chain+0x59/0xb0 [ 57.115429] device_add+0xad2/0x16e0 [ 57.119161] ? get_device_parent.isra.0+0x560/0x560 [ 57.124186] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 57.129395] usb_set_configuration+0xdf7/0x1740 [ 57.134087] generic_probe+0xa2/0xda [ 57.137803] usb_probe_device+0xc0/0x150 [ 57.141859] ? usb_suspend+0x5f0/0x5f0 [ 57.145758] really_probe+0x2da/0xb10 [ 57.149559] driver_probe_device+0x21d/0x350 [ 57.153966] __device_attach_driver+0x1d8/0x290 [ 57.158632] ? driver_allows_async_probing+0x160/0x160 [ 57.163907] bus_for_each_drv+0x163/0x1e0 [ 57.168056] ? bus_rescan_devices+0x30/0x30 [ 57.172389] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 57.177494] ? lockdep_hardirqs_on+0x37e/0x580 [ 57.182092] __device_attach+0x223/0x3a0 [ 57.186167] ? device_bind_driver+0xe0/0xe0 [ 57.190518] ? kobject_uevent_env+0x295/0x13d0 [ 57.195114] bus_probe_device+0x1f1/0x2a0 [ 57.199269] ? blocking_notifier_call_chain+0x59/0xb0 [ 57.204474] device_add+0xad2/0x16e0 [ 57.208216] ? get_device_parent.isra.0+0x560/0x560 [ 57.213333] usb_new_device.cold+0x537/0xccf [ 57.217766] hub_event+0x138e/0x3b00 [ 57.221501] ? hub_port_debounce+0x350/0x350 [ 57.225951] ? _raw_spin_unlock_irq+0x29/0x40 [ 57.230466] process_one_work+0x90f/0x1580 [ 57.234705] ? wq_pool_ids_show+0x300/0x300 [ 57.239027] ? do_raw_spin_lock+0x11f/0x290 [ 57.243360] worker_thread+0x9b/0xe20 [ 57.247167] ? process_one_work+0x1580/0x1580 [ 57.251657] kthread+0x313/0x420 [ 57.255018] ? kthread_park+0x1a0/0x1a0 [ 57.258998] ret_from_fork+0x3a/0x50 [ 57.263424] Kernel Offset: disabled [ 57.267051] Rebooting in 86400 seconds..